Akamai Diversity

Akamai Security Intelligence
& Threat Research

Credential Stuffing Attacks During the COVID-19 Pandemic

Since COVID-19 isolation protocols started in the United States in early March, bad actors have had a lot of time on their hands and a large pool of victims to target. Thousands of people, millions across the globe, suddenly found themselves working from home and away from many of the enterprise-grade protections that governed their day-to-day workflow.

Immediately, remote work became the norm. With that, remote access to applications and services started to gain momentum - as more and more people turned to the internet to get things done. Yet, many of those turning to their favorite application, game, or web-based service chose to trade security for ease of use and access. This created an attack surface that criminals wasted no time taking advantage of.

So, what kinds of trades were they making? In many cases, these security tradeoffs consist of outdated software, mixing personal and corporate emails for a wide range of personal uses, and recycling passwords.

Password recycling is a common tradeoff and a massive problem. Between December 2017 and November 2019, Akamai observed 85 billion credential stuffing attacks across our customer base, and nearly 20% of those attacks were targeting obvious API endpoints. Such attack volume speaks to the resources available to criminals, who automate their efforts and wait for the results (confirmed and verified account matches) to roll in.

These days, criminals are starting to re-check their credential stuffing lists and test them against services that are surging in popularity, due to the COVID-19 crisis. The most popular of these services is Zoom, a communication platform that enables a wide range of collaboration tools, which made it the go to service for businesses, governments, and schools.

Lately, there has been a lot of talk about Zoom security issues. Some of these conversations are important and needed, which is why Eric S. Yuan, Zoom's CEO and Founder, said his company will shift all of its engineering resources towards addressing their biggest trust, safety, and privacy issues. The company has also teamed up with Katie Moussouris, the security industry's foremost expert on bug bounty programs, and her company Luta Security, to reboot Zoom's bug bounty program.

On April 13, 2020, Zoom greeted the week with negatively-focused headlines like: 500,000 hacked Zoom accounts are being sold on the Dark Web. Some news websites claimed the accounts were hacked, and another said that the accounts were "compromised in a Dark Web data breach."

The thing is, these "hacked" accounts are not what the headlines might lead you to believe. First, Zoom didn't experience a data breach, and there was no mysterious "Dark Web data breach" either. Second, a majority of these accounts have been traded, sold, or freely given away as part of various credential stuffing lists for several years.

The Zoom accounts mentioned by the media were part of a collection being sold, and the security company that purchased them, did so to see if its clients were included in the list, as well as gain some public attention for itself.

Rather than speculate about the merits of a marketing tactic, let's examine the immediate aftermath of these fear inducing headlines. Organizations across the globe took notice, driving business leaders to task their threat intelligence teams with the job of tracking down this list and verifying it. I should know, I helped several external threat intelligence researchers in the days shortly after the headlines emerged.

Recycled Cash

Credential stuffing is a numbers game. If the list a criminal is working from is large enough, it's only a matter of time before they're successful in their attack. Part of the criminal's success comes from password recycling, the usage of weak and easily guessed passwords, and lack of visibility on the target's side of things. Most credential stuffing attacks are automated, driven by all-in-one tools or bots that mimic human interaction, making it hard to tell legit traffic from malicious.

Credential stuffing lists are so readily available, that criminals routinely dump the lists they're not using to the public, offering them freely to anyone and gaining reputation points in return. In late March and early April of this year for example, criminals started dumping Zoom credentials freely to various public forums. Of the 1,354 dumped Zoom credentials I checked against "Have I Been Pwned?", only 50 of them were previously unknown. All of the others were previously exposed by various data breaches dating back to 2012.

But the fact that the combinations being traded were old didn't matter, which is why one seller, its shop is displayed in Figure 1, started running a basic validator and compiling lists of possible Zoom users. Originally, the seller offered them for 50 cents each, but that price dropped to 25 cents a short time later before the credentials were eventually pulled from the shop entirely. Other indicators that the lists being sold were generated based on previous leaks include the fact that the massive lists where records were less than a penny each. 

Figure 1: A scammer wasted no time compiling a list of recycled usernames and passwords targeting Zoom accounts

Credential Stuffing and Harassment 

Another recent leak of recycled credentials centered on the Bill and Melinda Gates Foundation, the Wuhan Institute of Virology (WIV), the National Institutes of Health (NIH), and the World Health Organization (WHO).

On April 19, thousands of usernames and passwords from these organizations started to circulate on the internet, with claims that they had suffered data breaches. While assisting reporters with the New York Times and NBC News, it didn't take long for me to discover that the majority - if not all - of the leaked passwords were recycled from previous data breaches and incidents.

For example, of the 270 Bill and Melinda Gates foundation accounts published to the public, all but one could be sourced to breaches dating back to 2012. All of the WIV accounts were previously exposed as well. The WHO and NIH lists also were recycled, with many of them appearing in the AntiPublic credential list, as well as Collection 1.

The reasoning behind the leak of these credentials, based on public comments and forum posts, was targeted harassment of policy makers and political rivals by people who encouraged others to try using the credentials to access accounts illegally and expose any information found.

Conclusion

To be clear, credential stuffing is a problem that affects every organization, both large and small. No one is immune to attempts, but some are better at fighting them off than others. For individuals, credential stuffing is still a problem, but one we can deal with by assessing our own personal risk tolerances. 

For example, while throwaway passwords are quite common, it's important to consider the risk if the account might be exposed when using them. If there is even a remote chance the account in question will become valuable to you, or if there is something of value to a criminal - personal information, unique account assets, financial statements or records, etc. - it's best to skip the throwaway password and use something significant.

Use a password manager for significant passwords, which relies both length and complexity, to ensure that passwords are not shared among accounts - a critical element to defending against credential stuffing attacks. This is because if passwords are recycled, then a single compromised account can quickly turn into many compromised accounts.

High value accounts need to be protected more than others. They're high value for a reason, but only you can determine what is high value. Banks, email accounts, and social media accounts, should score high in these determinations. They're critical elements to many aspects of your day-to-day life, especially now during mandatory quarantines. 

In addition to password managers and password complexity, make sure you're using multi-factor authentication, such as Google Authenticator or Duo. If SMS is the only option available, you should still enable and use it, because defenses like these make it harder for criminals to passively scan and compromise accounts.

 The key defense against credential stuffing is unique passwords to the individual account and passwords that are both complex and long. Humans have a hard time creating complex passwords, leading to passwords that are often shared, recycled, and reused. This is why password managers are important.

 

So, change your password. Make it unique to each account. Wash your hands.